Post-PCI: Visa Experiments With More Secure Card StrategiesWritten by Evan Schuman
Visa has been experimenting—through retail and processor partners—with several alternative security approaches for its cards, including a challenge and response effort at OfficeMax, a digital card fingerprint-like image at processor Fifth Third and a strict data segregation experiment at McDonalds.
Visa’s chief enterprise risk officer, Ellen Richey, said the program is all about looking for the next security approach, to identify ways to develop security measures that are currently not a part of PCI. She said that Visa looks favorably on some form of the chip-and-PIN approach that is used today in the U.K.. “”It’s a matter of when we are going to adopt it and how,” she said, adding that existing contactless payment trials in the U.S. are based on similar technology. “We fully support this technology (chip) as there are different needs in different parts of the world.”
Added Gerry Sweeney, global head, E-Commerce & Authentication at Visa: “We must move from static data to dynamic data, particularly in the area of authenticating consumers and cards.”
The challenge and response pilot was started late last year at 100 OfficeMax stores in Illinois, Indiana and Florida, according to OfficeMax Treasurer William Van Orman. “It originally was to be completed by May of this year. It was initially supposed to be a six month pilot, but it was extended by four more months at the request of Visa,” Van Orman said.
The trial has cashiers asking consumers a series of rotating questions, including asking them to say their Zip Code, the last four numbers of their home phone number, the last four digits of their cell phone number and their home phone area code, Van Orman said. The trial has had small impacts on store operations, such as requiring disclosure signs near the POS and additional associate training. But Van Orman said his team detected no speed reductions at POS.
Fifth Third Bank, one of the largest card processors, argued that a popular theoretical approach—true end-to-end encryption—is a good idea on paper but it has logistical hurdles that may ultimately make it not viable. “With end to end encryption, there is a tremendous key management issue,” said Fifth Third’s Don Roeber, vice president and manager of merchant PCI compliance. “It’s a significant challenge for (retailers) to manage all those keys. It has some implementation issues.”
Instead, he’s been pushing—and testing—an approach where the processor can take a digital snapshot of the card’s magstripe. “It’s like a digital ID. We read that swipe and take a picture. It’s like a fingerprint, a DNA print of that card,” he said, adding that Fifth Third quietly installed 1,000 specially-designed readers to retailers, saying that it was just part of their normal upgrade process. “It was transparent to the merchant,” Roeber said.